[Dshield] Tracking and Reporting Probes

James dshield at webfocus.com
Tue Mar 26 05:31:44 GMT 2002


Company ABC is setup with a block of 32 static IP address.

IP Usage as follows.
	1 for the Gateway
	1 for the Firewall		   *
	2 for FTP Server    ( DMZ)	   *
	2 for Web Server    ( DMZ)	   *	
	2 for DNS Servers   ( DMZ)	   *
	5 for One to One NAT in to the LAN *

So ABC Company is user 13 out of the 30 useable IP's.  The firewall will 
report on the Attacks/Probes ( If setup correctly ) on the IP's that the 
Firewall knows about on the DMZ and the One to One NAT and the IP of the 
firewall it self.

There are still 17 IP that are just hanging in limbo.  Maybe in some 
database or spreadsheet as they are open for future use of some sort.

Questions,
*)  Should the Extra IP's be lift in limbo?  Will never know what kind of 
attacks/probes that are happening on the 17 IP's.

*)  Should a PC with Labrea be placed in the DMZ to act Network connection 
for the 17 IP's?   Can Now Track , Slowdown and monitor now.

*)  Or on the Firewall Setup OneToOne NAT to a fake private IP Block? This 
will allow the same monitoring tools to be used on the other IP's. Draw 
back is the impact that it will have on the firewall itself.

input welcome.

Thanks

James






More information about the list mailing list